Cybersecurity Meets IT Risk Management

As the role of technology in corporate operations grows, security vulnerabilities—data theft, leakage of intellectual property, corporate sabotage, denial-of-service attacks—are growing. The damage from attacks like these can affect a company’s profits, reputation, brand, and competitive position. The damage can even affect a company’s viability, as direct costs for data breaches can reach hundreds of millions of dollars.

To fight back, companies must understand the risks they face and develop robust protection systems. A cybersecurity program should focus on data confidentiality, integrity, and availability. Each transaction should be traceable to an accountable person. The origin and history of each piece of information should also be known and well defined.

To ensure security success, executives should also:

Study every angle. Take a systemic and holistic view of IT systems and information and related risks. For example, a bank should focus on end-to-end availability of its client-facing online banking service instead of database, network, or IVR uptime.

Be deliberate. Ensure that IT security and risk management processes and principles are incorporated into the company’s corporate processes by design instead of as an afterthought or add-on.

Evaluate risks. Understand how much risk the business can afford, rather than how much security can be gained for a given budget. Think about which risks might be worth absorbing rather than mitigating.

Create a team. Make sure that IT and information security personnel aren’t at odds. Information security personnel should be advisors to the business. Their job is to ensure that projects meet all security requirements, help the company protect critical information and systems in an economically sensible way, and help projects succeed without any cost to innovation speed.

Plan to fail. Acknowledge that, despite best efforts, 100% security is not possible, and that a security breach of some type is likely inevitable. Then prepare accordingly by testing systems and their ability to recover, identify vulnerabilities, and design and test emergency operating procedures and response plans.

Look for weaknesses. Use scenario planning and war-gaming to help identify security threats and process gaps, and to design appropriate responses.

Cybersecurity should be a major component of a company’s overall risk management program. That means developing a unified, cohesive plan to identify and address potential risks, determine the correct strategy for each risk, and incorporate those strategies into the corporate fabric.

The world’s data store doubles every two years, which means your business data is growing just as quickly. To manage and secure such large volumes of critical business data, you have to understand it. Ask yourself:

The Boston Consulting Group is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, age,religion, sex, sexual orientation, gender identity / expression,national origin, protected veteran status, or any other characteristic protected under federal, state or local law,where applicable.

This website uses cookies to improve functionality and performance. If you continue browsing the site, you are giving implied consent to the use of cookies on this website. See our Cookie Policy for details.